80
How to secure (podman or docker) containers for public-facing hosting? (lemmy.ml)
submitted 10 months ago* (last edited 10 months ago) by cyclohexane@lemmy.ml to c/linux@lemmy.ml
24 comments fedilink hide all child comments

Context

I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.

Requirements

I want to run applications within containers such that they

  • Must not be able to interfere with applications running on host
  • Must not be able to interfere with other containers or applications inside them
  • Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.

Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.

What I found so far

  • Running containers in rootless mode: in other words, running the container daemon with an unprivileged host user
  • Running applications in container under unprivileged users: the container user under which the container is ran should be unprivileged
  • Networking: The container's networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.

Alternative solution

I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.

you are viewing a single comment's thread
view the rest of the comments
[-] Atemu@lemmy.ml 1 points 10 months ago

Why does it need to be public-facing? There may be solutions that don't require exposing it to billions of people.

Security is always about layers. The more independent layers there are, the fewer the chances someone will break through all of them. There is no one technology that will make your hosting reasonably secure, it's the combination of multiple.

You've already mentioned software ran inside an unprivileged sandbox.

There's also:

  • Sandbox ran unprivileged inside a VM
  • VM ran inside unprivileged sandbox
  • Firewall only allowing applications to open certain ports
  • Server running all of that hosted by someone else on their network with their own abstractions
[-] cyclohexane@lemmy.ml 1 points 10 months ago

I'm thinking of hosting things like small fediverse servers, which from my understanding need to be public facing. Also thinking of running a monero node.

this post was submitted on 07 Jan 2024
80 points (93.5% liked)

Linux

48132 readers
480 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz